PHI of Over 26,000 Patients Exposed Due to Arkansas DHS Privacy Breach

Arkansas Department of Human Services (DHS) fired a former employee from her new job at the state hospital for sending to her personal email account certain files which contain patients’ protected health information (PHI). Yolanda Farrar held the position of a payment integrity coding analyst at the DHS, but was terminated on March 24, 2017. The DHS spokesperson, Amy Webb, said that Farrar was terminated for violating DHS policy on professionalism, teamwork and diligent and professional performance.

Farrar talked with her supervisor regarding concerns with her performance and found that DHS was planning to fire her. Within minutes after their chat, Farrar sent spreadsheets from her email account at work to a personal email account.

Farrar made a decision to take sue DHS for unfair dismissal. The DHS lawyers were getting ready to represent the DHS in court including checking the emails Farrar sent using her email account at work. When they found the spreadsheets and emails on August 7, the privacy officer of DHS was instantly informed regarding the discovery and there was an internal investigation of the incident conducted.

The investigators found that the spreadsheets contained a variety of sensitive data of patients such as names, dates of birth, Medicaid ID numbers, diagnoses, medical procedure codes, as well as some Social Security numbers. Every item in the spreadsheet was checked one by one and after removing the duplicates, DHS identified the PHI of 26,044 patients that was emailed to Farrar’s personal account.

For emailing the files, Farrar violated DHS policies as well as state and federal laws. Farrar was already working at the state hospital; but, upon discovery of her violation, she was fired from that position. The privacy breach investigation is still ongoing and the DHS plans to file criminal charges on Farrar.

The DHS now puts all employees through privacy training. Before employees are allowed to get internet access, they need to pass the training test. They also need to know that it is forbidden to email confidential data outside the agency. The agency also reviewed the policies and procedures to know what other actions should be implemented to minimize the chance of similar breaches from happening again later on.

DHS affirmed that all persons affected by the breach will be sent notification letters regarding the privacy breach by mail.